Microsoft Tweaks Windows XP Wireless Security

Microsoft last month quietly issued a long-overdue update to fix a simple yet potentially dangerous security weakness in the way embedded wireless cards work on Windows XP laptops.

Open up an XP portable, and if you're looking with the right tools you'll notice the machine starts scanning for wireless networks that it recognizes. It does this by sending out a beacon advertising the names of the networks it is seeking. An XP laptop will run through the entire list of network names with which it has previously associated, over and over, until the machine has associated with a network. Some wireless adapters will go so far as to automatically probe for randomly generated network names.

(microsoft.com)

The upshot of all this is bad guys can take advantage of these behaviors, as I wrote in January at the Shmoocon hacker conference, where security gadfly Mark "Simple Nomad" Loveless called attention to this problem. Loveless showed that by sniffing the wireless requests sent out by a target XP machine, an attacker can learn the name of a previously associated network and force the target to connect directly to the attacker's PC, which for all intents and purposes appears to the would-be victim as just another wireless access point (assuming the victim is even paying attention during all of this.)

Even before Nomad's talk, this problem had been brought to Microsoft's attention by security researcher Dino Dai Zovi, who months earlier gave a presentation at Microsoft's invitation-only Blue Hat security conference in which he demoed how such an attack might work.

"In a hall of 400-500 engineers, we hijacked upwards of 100 clients instantly, enough that our Linux laptop became unstable from all the wireless traffic passing through it," Dai Zovi recalled in a writeup sent to the Bugtraq security mailing list. "In practice, since nearly every roaming laptop has at least one unencrypted hotspot network in [its] preferred/trusted networks, almost all Windows XP and Mac OS X laptops are susceptible to this kind of attack."

Note that last line: Mac OS X had this very same problem, one that it fixed in July 2005, just a couple of months after Dai Zovi's presentation.

Microsoft doesn't classify this as a "security update," but if you're using a Windows laptop, it's a good idea to apply this patch. According to Dai Zovi, using a software firewall (even the built-in Windows Firewall) will prevent vulnerable XP machines from being attacked via this weakness.

"However, when the attacker controls the DHCP and DNS server (as they do when they are acting as a rogue access point), the victim [computer] can be attacked when it makes outbound connections," Dai Zovi wrote in an e-mail to Security Fix. (DHCP servers are responsible for handing out network addresses to computers on the fly, and DNS servers serve as a kind of "yellow book" for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to understand.)

Dai Zovi continues: "The rogue access point coerces the client into connecting to the attacker's machine, thus obviating the firewall. This usually requires the user having Web or mail software running, but automatic outbound network requests from [those kinds of programs are] very common and these may be attacked."

This patch did not show up when I ran a Microsoft Update scan on my HP laptop (even under optional updates), but you can manually download and install it from here.

It is probably worth noting that getting this update requires participation in Microsoft's odious "Genuine Windows" program. This is what the download page says:

"This download is available to customers running genuine Microsoft Windows. Please click the Continue button to begin Windows validation. As described in our privacy statement, Microsoft will not use the information collected during validation to identify or contact you."

In other words, our software is defective, but we won't let you use anyone else's tools to fix it.

Call me paranoid, but this is one of many reasons I disable the wireless card in my laptop via the BIOS and do not load any wireless drivers in the operating system. I do not trust wireless, as you have virtually no control over where the signal goes. At least with a hard-wired connection, you have to have physical access.

When needed I look for a hotel with a hard wire connection and also use my SOHO hardware firewall from home, along with the Windows Firewall.

I know there are ways to secure wireless, but for me it's not worth the effort for the convenience and never as secure as hard wired.

Thanks for the laugh, but at least you know what you don't know, sort of. You don't understand the threat at all, and your double firewall setup is further proof.

Brian only indirectly mentioned an important point: This would have to be unencrypted AP. I never use an unencrypted access point. In other words, my data is completely secure... until it gets to the wired network, that is. Then, all bets are off. For all the hype to the contrary, my wireless link is usually my most secure hop.

For the same reason, I wouldn't want this patch. When the laptop probes for my home/work APs, it can join them faster, and since I am not at risk, a mandatory update is clearly not appropriate here.

My laptop with built-in wireless is from a manufacturer that isn't one of the top brands (Lenovo, HP, etc).

I have an Averatec laptop. It has one feature I haven't seen on other systems though. There is a slide switch on the front of it to turn the built-in wireless on / off. I don't have to right-click anything or go into the bios or tell Windows to disable it. Just 'slide' disabled and 'slide' enabled.

In response to 'bah' and any of the other high and might types proclaiming their technical superiority: that is great for you, but what about all the folks who don't have the knowledge and skills that enable us to protect ourselves?

You practically cannot buy a laptop without a built-in wireless adapter today.

You might be safe, but what about your accountant, or your insurance agent, or your doctor? These guys get a new system and have no idea how to secure it.

I had this happen in Las Vegas. 20th floor of a casino. I use a Mac and I scan for AP's before allowing a connection. A Mac allows you to pick before attaching. I checked my firewall then selected "Free Public Wireless" Bam! a computer to computer connection was initated and the usual Win pants down ports were attacked. What happens in Vagas.....

While no network is completely secure, you have to look at wireless differently than wired.

Wireless security, on a basic level, relies on encrypting the radio frequency signal that is transmitted over the air between devices. Any encryption can be broken. And the fact the signal is going over the air, say, going into the hotel room next to you, the entire building, or even across the street, makes it inherently easier to access and ultimately compromise.

In contrast, wired relies on physical access to the devices transmitting the signal (have to plug in a cable). So, someone can't sit in the hotel room next to me or outside my house for days on end trying to get into my system or network. You can't wardrive a wired system.

Also, with the recent spate of wireless card device driver flaws, disabling the wireless card and not loading the corresponding drivers prevent someone from breaking into my system unknowingly, even if I'm not connected to a wireless network. Just the fact the flawed wireless card drivers are loaded and the card is active leave my system open to compromise.

Wireless, not worth it for me anyway. And I didn't mention any of the other cons of wireless (cost, reliability, performance, etc.).

BTW - the Dell Latitude D820 also has a switch on the side of the laptop to turn the wireless card on/off.

I view MS with a jaundiced eye: period, every new patch is another nitemare, I dont need to verify my machine like a criminal. I just did a new install- needed more room for LINUX MYAH not VISTA- turned on the yellow "NOTIFY" condition, which has changed 3x to green "INSTALL" condition. So I have gone code "RED" - lets see! If not MS who is turning on this s/w switch- who/why anyone else? Spyware?? NAW!!All my 802 devices have either h/w or s/w switches, use them, even my new SE 990i, they work! Especially for max battery conditions. Radio is a battery-hog, that inc B/T. I also monitor packet activity 24/7 -if some rogue is out there, abort & redo! Most of us use some sorta dialup, or PPOE in the front-end, simply disable the 'remember' part. Or go for the paranoia switch & pull the cable. It is yr machine, so take it back... since when does the gas cost 10x more than the car???